Security Watch

Virtual Vulnerabilities

Flaws in VMware's products have been patched. Also, Apple WiFi hack gets published; inside reputation-based attacks.

• By Russ Cooper
• 10/31/2007

Included in this suite of fixes are several packages from third-parties, such as ISC BIND, MIT krb5 and others that affect the ESX Service Console. In addition to the DHCP fixes, several fixes address other breakout issues that could allow guest OS users to obtain privileges on the host or execute code on the host.

The issues addressed are, obviously, serious and could considerably affect the perceived security of a VMware installation. However, we do believe it is prudent to remind everyone that relying upon VMware or virtualized partitions to ensure the security of the underlying OS is a mistake. While significant segmentation is done, the products are not designed to provide a secure boundary between guest and host, but instead to ensure that failure of processes in the guest environment does not affect the host.

In the Open: Apple Wi-Fi Hack
David Maynor, formerly with SecureWorks and now with Errata, has finally published details of his infamous Apple Wi-Fi hack he demonstrated at Black Hat in 2006. At the time, Maynor demonstrated the ability to compromise a MacBook with a third-party, USB-based WiFi adapter, but claimed he could do it with the built-in Airport adapter too. Apple fixed the issue in September 2006, based on an internal audit.
http://www.computerworld.com.au/index.php/id;1809081490;fp;4;fpid;16
http://uninformed.org/?v=8&a=4

Well, this issue certainly got its fair share of airplay. Everyone was up in arms at the time because Maynor didn’t use native Apple hardware to demonstrate a flaw he claimed was in Apple. He said the exploitable drivers were there on Apple systems running OS X, but because of the use of the third-party adapter, few believed him. Further, Apple downplayed any claims by stating they had not received any information claiming there were flaws in their products.

Maynor has now published an extensive document outlining precisely how they discovered the flaw, by accident, while attempting fuzzing tests on other equipment. He details how the flaw was clarified, and how proof-of-concept code was developed. Maynor says he has done this now in order to shed some light on Mac vulnerability research.

BOF Flaws in MFC Libraries
The Microsoft Foundation Class libraries versions 4.1 and 7.1 are vulnerable to a buffer overflow in the FindFile function. Any application which uses this function from either of these libraries, and provides a means by which the variable sent to the function can be manipulated, can allow for code of the criminal’s choice to execute in the context of the application (typically running in the security context of the user). Patches are currently unavailable.
http://www.kb.cert.org/vuls/id/611008
http://goodfellas.shellcode.com.ar/own/VULWKU200706142

Talk about a useless vulnerability, and the discoverers have gone to the effort of writing proof-of-concept exploit code. Consider that for flaw to be exploited, the criminal must first figure out which application uses the function, then how it accepts parameters to the function, and finally convince you to provide those parameters to the application running on your system. If this could all be done in the form of a URL, we might be a little concerned, but the most likely method of exploitation is going to be via a user-supplied string in a text box -- a string that’s going to include shellcode. It's pretty unlikely that any user is going to be convinced that that's the text they should put in the text box.

Reputation-Based Attacks on Rise?
After surviving numerous DDoS attacks, CastleCops was then subjected to another form of harassment -- fraudulent donations via PayPal. Some 37 donations, from as little as $1 to as much as $2,800 have been refunded so far and CastleCops is working with both the FBI and PayPal to try and identify all such transactions. CastleCops is a not-for-profit business attempting to stem the tide of online criminal activities and is largely sustained by donations. This new form of attack threatens to hamper their fund-raising activities should PayPal decide they are more hassle than it's worth.
http://blog.washingtonpost.com/securityfix/2007/09/the_danger_of_reputation_attac.html?nav=rss_blog

When you’re a criminal, with virtually unlimited resources of all forms, nothing is impossible.

RemoteDocs Not Immune to Arbitrary Code Execution Flaw
Data-Vision RemoteDocs R-Viewer, a native PCL document viewer and utility which unpackages RemoteDocs Z (rdz) formatted document packages, can be exploited to cause a program of the criminal’s choice to execute. RemoteDocs has released v1.6.3768 (or higher) which corrects the vulnerability.
http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-009.txt

RDZ packages sound similar to a PKZip file. They can compress a single, or multiple, documents and provide the ability to be digitally signed. An digital signature can be forged and allow R-Viewer to believe the RDZ package is sound, and when processed it will execute the first object in the archive, which could be an executable.